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WHAT IS CLAIMED IS: 

1. A relay apparatus for a terminal or a server on a private 
netvs^ork that does not have an address on a global network to perform 
communication through the global network, comprising: 

5 a WAN interface unit which provides communication with the 

global network; 

a LAN interface unit which provides communication with the 
private network; 

an access control unit having means for controlling access from the 
10 global network to the private network in accordance with an access control 
rule which is established on a per sending device basis or on a per sending 
network basis; 

an address translation unit having: 

means for translating an address in accordance with an address 
15 translation rule established on a per sending device basis, in order to 
transferring information from a terminal on the global network to a terminal 
on the private network; and 

means for translating an address in accordance with an address 
translation rule established on a per sending device basis, in order to 
20 transferring information from a terminal on the private network to a terminal 
on the global network; and 

a database unit which records the access control rule and the 
address translation rule. 

2. The relay apparatus according to Claim 1, comprising: 

25 an authentication unit which performs authentication in response to 

a request for access permission sent from a terminal on the global network, 
wherein: 
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the database unit further records user information used by the 
authentication unit to perform authentication; 
the access control unit further has: 

means for adding an access control rule established on a per sending 
5 device basis or a per sending network basis to the database unit if the 
authentication succeeds; and 

means for deleting the added access control rule fi'om the database 
unit when a predetermined criterion for ending communication is satisfied; 
and 

10 the address translation unit further has: 

means for adding an address translation rule established on a per 
sending device basis to the database unit if the authentication succeeds; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
15 satisfied. 

3. The relay apparatus according to Claim 1, wherein: 
the access control unit further has: 

means for adding an access control rule established on a per sending 
device basis or on a per sending network basis to the database unit in response 
20 to a request from an authentication sever which performs authentication of a 
terminal on the global network; and 

means for deleting the added access control rule from the database 
unit when a predetermined criterion for ending communication is satisfied; 
and 

25 the address translation unit further has: 

means for adding an address translation rule established on a per 
sending device basis to the database unit in response to a request from the 



-52- 

authentication server; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
satisfied. 

5 4. An authentication server which permits access to the relay 

apparatus according to Claim 3, comprising: 

an interface unit which provides communication with a terminal on 
the global network and the relay apparatus; 

an authentication unit which performs authentication in response to 
10 a request for permission to access the relay apparatus from a terminal on the 
global network; 

a control unit having: 

means for requesting the relay apparatus to add an access control 
rule and an address translation rule for a packet from a terminal on the global 
15 network if authentication at the authentication unit succeeds; and 

means for requesting the relay apparatus to delete the added access 
control rule and address translation rule when a predetermined criterion for 
ending communication is satisfied; and 

a database unit which records information associating user 
20 information used by the authentication unit to perform authentication with an 
access control rule and address translation rule requested to be added. 

5. The relay apparatus according to any of Claims 1 to 3, wherein: 

the access control unit further has: 

means for adding an access control rule established on a per sending 
25 device basis to the database unit in response to a request for initiating 
communication from a terminal on a private network; and 

means for deleting the added access control rule from the database 
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unit when a predetermined criterion for ending communication is satisfied; 
and 

the address translation unit further has: 

means for adding an address translation rule established on a per 
5 sending device basis to the database unit in response to a request for initiating 
communication fi:'om a terminal on the private network; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
satisfied. 

10 6. An address translation apparatus for a terminal or a server on a 

private network that does not have an address on a global network to perform 
communication through the global network, comprising: 

a WAN interface unit which provides communication with the 
global network; 

15 a LAN interface unit which provides communication with the 

private network; 

an address translation unit having: 

means for translating an address in accordance with an address 
translation rule established on a per sending device basis, in order to 
20 transferring information from a terminal on the global network to a terminal 
on the private network; and 

means for translating an address in accordance with an address 
translation rule established on a per sending device basis, in order to 
transferring information from a terminal on the private network to a terminal 
25 on the global network; and 

a database unit for recording the address translation rules. 

7. The address translation apparatus according to Claim 6, 
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wherein 

the address translation unit further has: 

means for adding an address translation rule established on a per 
sending device basis to the database unit in response to a request for initiating 
5 communication sent from a terminal on the global network or a terminal on a 
private network; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
satisfied. 

10 8. The address translation apparatus according to Claim. 7, 

comprising: 

an authentication unit which performs authentication in response to 
a request for initiating communication from a terminal on the global network, 
wherein: 

15 the database unites further records user information used by the 

authentication unit to perform authentication; and 

the address translation unit adds the address translation rule to the 
database unit in response to a request for initiating communication from a 
terminal on the global network only if the authentication succeeds. 

20 9, The address translation apparatus according to Claim 7, 

wherein the address translation unit adds the address translation rule to the 
database unit in response to a request for initiating communication from a 
terminal on the global network only if an authentication server which 
performs authentication requests the addition. 

25 10. An authentication server which permits access to the address 

translation apparatus according to Claim 9, comprising: 

an interface unit which provides communication with a terminal on 
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the global network and the relay apparatus; 

an authentication unit which performs authentication in response to 
a request for permission to access the relay apparatus from a terminal on the 
global network; 
5 a control unit having: 

means for requesting the address translation apparatus to add an 
address translation rule for a packet sent from a terminal on the global 
network if authentication at the authentication unit succeeds; and 

means for requesting the address translation apparatus to delete the 
10 added address translation rule when a predetermined criterion for ending 
communication is satisfied; and 

a database unit which records user information used by the 
authentication unit to perform authentication. 

11. A firewall apparatus which allows a packet from a global 
15 network extemal to the firewall to pass through to a private network internal 
to the firewall apparatus if the packet meets an acceptance condition set in a 
database imit, comprising: 

a WAN interface unit which provides communication with the 
global network; 

20 a LAN interface unit which provides communication with the 

private network; 

an access control unit having means for controlling access from the 
global network to the private network in accordance with an access control 
rule established on a per sending device basis or on a per sending network 
25 basis; 

an authentication unit which performs authentication in response to 
a request for access permission from the global network; and 
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a database unit which records the access control rule and user 
information used by the authentication unit to perform authentication. 

12. The firewall apparatus according to Claim 11, wherein: 

the access control unit further has means for adding an access 
5 control rule established on a per sending device basis or on a per sending 
network basis to the database unit if authentication at the authentication unit 
succeeds and an access control rule for a request for access permission from a 
device on the global network is not recorded in the database unit; and 

means for deleting the added access control rule from the database 
10 unit when a predetermined criterion for ending conmiunication is satisfied. 

13. The firewall apparatus according to Claim 12, wherein the 
access control unit further has: 

means for, if a request for new access permission is provided from a 
device on the global network that is using an established secure session during 
15 the duration of the secure session, sending notification seeking confirmation 
of the request to the device on the global network by using the secure session; 
and 

means for rejecting a new access regardless of the access control 
rule if denial of the request is retumed from the device on the global network. 
20 14. The firewall apparatus according to any of Claims 11 to 13, 

wherein the access control unit further has: 

means for monitoring the status of communication; and 
means for notifying the device on the global network of an anomaly 
in communication if a predetermined criterion for communication anomaly is 
25 satisfied. 

15. An address translation method for a terminal on a private 
network that does not have an address on a global network to perform 
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communication through the global network, comprising: 

recording an address translation rule established on a par sending 
device basis in a database unit beforehand; 

when a packet from the global network is received by a WAN 
5 interface unit, 

translating, by an address translation unit, a destination address in 
accordance with the address translation rule; and 

transferring, by a LAN interface unit, the packet having the 
translated address to the private network; 
10 when a packet from the private network is received by a LAN 

interface unit, 

trsinslating, by the address translation unit, a source address in 
accordance with the address translation rule; and 

transferring, by the WAN interface unit, the packet having the 
15 translated address to the global network. 

16, An address translation method for a terminal on a private 
network that does not have an address on a global network to perform 
communication through the global network, comprising: 

recording an address translation rule established on a per sending 
20 device basis in a database unit beforehand; 

when a packet from the global network is received by a WAN 
interface unit, 

performing authentication in an authentication unit and; 

if the authentication succeeds, checking, by the address translation 
25 unit, the database unit to see whether or not an address translation rule that 
matches source information and destination information of the packet is 
stored in the database unit, and 
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if a matching address translation rule is found in the database unit, 
translating the address of the packet in accordance with the address translation 
rule; 

if a matching address translation rule is not found in the database 
5 unit, adding an address translation rule to the database unit and translating the 
address of the packet in accordance with the added address translation rule; 
and 

transferring, by a LAN interface unit, the packet having the 
translated address to the private network; 
10 when a packet from the private network is received by the LAN 

interface unit; 

checking, by the address translation unit, the database unit to see 
whether or not an address translation rule that matches source information and 
destination information of the packet is recorded in the database unit, and 
15 if a matching address translation rule is found in the database unit, 

translating the address of the packet in accordance with the address translation 
rule; 

if a matching address translation rule is not found in the database 
unit, adding an address translation rule to the database unit and translating the 
20 address of the packet in accordance with the added address translation rule; 
and 

transferring by the WAN interface unit the packet having the 
translated address to the global network; and 

if there is an address translation rule added by the address 
25 translation unit, deleting the address translation rule from the database unit 
when a predetermined criterion for ending communication is satisfied. 

17. The address translation method according to Claim 16, 
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wherein, instead of performing authentication in the authentication unit, 
determination is made that authentication is successful when a request is 
received from an authentication server which performs authentication of a 
terminal on the global network. 
5 18. An access control method for allowing a packet from a global 

network extemal to a firewall to pass through to a private network internal to 
the firewall if the packet meets an access control rule set in a database unit, 
comprising: 

recording an access control rule established on per a sending device 
10 basis or on a per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a 
WAN interface unit, checking, by an access control unit, the database unit to 
see whether or not an access control rule that matches the connection request 
is recorded in the database unit; and 
15 if the access control rule is found in the database unit, permitting 

communication, 

19. An access control method for allowing a packet from a global 
network extemal to a firewall to pass through to a private network intemal to 
the firewall if the packet meets an access control rule set in a database unit, 
20 comprising: 

recording an access control rule established on a per sending device 
basis or on a per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a 
WAN interface unit, performing authentication in an authentication unit; and 
25 if the authentication succeeds, checking, by an access control unit, 

the database unit to see whether or not an access control rule that matches the 
connection request is recorded in the database unit; and 
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if a matching access control rule is found in the database unit, 
permitting the communication; 

if a matching access control rule is not found in the database unit, 
adding an access control rule established on a sending device basis or on a 
5 sending network basis to the database unit and permitting the communication; 

when a packet from the private network is received by a LAN 
interface unit, 

checking, by the access control unit, the database unit to see 
whether or not an access control rule that matches the connection request is 
10 recorded in the database unit; and 

if a matching access control rule is found in the database unit, 
permitting communication; 

if a matching access control mle is not found in the database unit, 
adding an access control rule established on a sending device basis to the 
15 database unit and permitting the communication; and 

if there is an access control rule added by the access control unit, 
deleting the access control rule from the database unit when a predetermined 
criterion for ending communication is satisfied. 

20. The access control method according to Claim 19, instead of 
20 performing authentication in the authentication unit, determination is made 

that authentication is successful when a request is received from an 
authentication server which performs authentication of a terminal on the 
global network. 

21. The access control method according to any of Claims 18 to 
25 20, wherein: 

the communication status of a established secure session is 
monitored during the secure session; and 
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if a predetermined criterion is met, the device on the global network 
that is using the established secure session is notified of occurrence of 
anomaly. 

22. The access control method according to any of Claims 18 to 
5 20, wherein: 

if a new connection request from a terminal on the global network 
that has established a secure session is received by the WAN interface unit 
during the duration of the secure session, the information on the connection 
request is notified to the terminal on the global network that has the 
10 established secure session; and 

if a denial of the request is returned from the device, rejecting the 
connection regardless of the access control rule recorded in the database unit. 



